From 7782167627047664cac43f0148e2026396ab4857 Mon Sep 17 00:00:00 2001 From: trimstray Date: Tue, 19 Feb 2019 10:11:49 +0100 Subject: [PATCH] added 'Useful resources'; minor updates - signed-off-by: trimstray --- lib/post_install_tasks/disk_partitions.md | 55 +++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/lib/post_install_tasks/disk_partitions.md b/lib/post_install_tasks/disk_partitions.md index a453fad..50430e5 100644 --- a/lib/post_install_tasks/disk_partitions.md +++ b/lib/post_install_tasks/disk_partitions.md @@ -26,6 +26,11 @@ You should also consider separating these partitions: - `/var/tmp` - `/var/log/audit` +###### Useful resources + +- [Recommended partitioning scheme](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/installation_guide/s2-diskpartrecommend-x86) +- [Most secure way to partition linux?](https://security.stackexchange.com/questions/38793/most-secure-way-to-partition-linux) + #### :eight_pointed_black_star: Mount options: nodev, nosuid and noexec For more security-focused situations is as follows: @@ -34,6 +39,11 @@ For more security-focused situations is as follows: - `nosuid` - specifies that the filesystem cannot contain set userid files. Preventing setuid binaries on a world-writable filesystem makes sense because there's a risk of root escalation or other awfulness there - `noexec` - this param might be useful for a partition that contains no binaries, like **/var**, or contains binaries you do not want to execute on your system (from partitions with `noexec`), or that cannot even be executed on your system +###### Useful resources + +- [Linux Security: Mount /tmp With nodev, nosuid, and noexec Options](https://www.cyberciti.biz/faq/linux-add-nodev-nosuid-noexec-options-to-temporary-storage-partitions/) +- [Security Handbook/Mounting partitions](https://wiki.gentoo.org/wiki/Security_Handbook/Mounting_partitions) + #### :eight_pointed_black_star: Secure /boot directory The boot directory contains important files related to the Linux kernel, so you need to make sure that this directory is locked down to read-only permissions. @@ -113,6 +123,11 @@ And set `nodev`, `nosuid` and `noexec` mount options in `/etc/fstab`. > Alternative for **polyinstantiated directories** is **PrivateTmp** feature available from **systemd**. For more information please see: [New Red Hat Enterprise Linux 7 Security Feature: PrivateTmp](https://access.redhat.com/blogs/766093/posts/1976243). +###### Useful resources + +- [Increasing Linux server security with nodev, nosuid and no exec options](https://kb.iweb.com/hc/en-us/articles/230267488--Increasing-Linux-server-security-with-nodev-nosuid-and-no-exec-options) +- [Why it is important to Securing /dev/shm and /tmp](https://askubuntu.com/questions/389408/why-it-is-important-to-securing-dev-shm-and-tmp) + #### :eight_pointed_black_star: Secure /dev/shm `/dev/shm` is a temporary file storage filesystem, i.e. **tmpfs**, that uses RAM for the backing store. One of the major security issue with the `/dev/shm` is anyone can upload and execute files inside the `/dev/shm` similar to the `/tmp` partition. Further the size should be limited to avoid an attacker filling up this mountpoint to the point where applications could be affected. (normally it allows 20% or more of RAM to be used). The sticky bit should be set like for any world writeable directory. @@ -129,6 +144,10 @@ tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,size=1024M,mode=1777 0 0 tmpfs /dev/shm tmpfs rw,nodev,nosuid,noexec,size=1024M,mode=1770,uid=root,gid=shm 0 0 ``` +###### Useful resources + +- [Securing /dev/shm partition](https://www.gnutoolbox.com/securing-devshm-partition/) + #### :eight_pointed_black_star: Secure /proc filesystem The proc pseudo-filesystem `/proc` should be mounted with `hidepid`. When setting `hidepid` to **2**, directories entries in `/proc` will hidden. @@ -139,8 +158,43 @@ proc /proc proc defaults,hidepid=2 0 0 > Some of the services/programs operate incorrectly when the `hidepid` parameter is set, e.g. Nagios checks. +###### Useful resources + +- [Linux system hardening: adding hidepid to /proc mount point](https://linux-audit.com/linux-system-hardening-adding-hidepid-to-proc/) + #### :eight_pointed_black_star: Swap partition +Encryption of swap space is used to protect sensitive information. It improves the availability of the system, which is also an important part of information security. + +```bash +# Turn off the swap area +swapoff -a + +# Wipe the swap area +shred -vfz -n 10 /dev/sda2 + +# Update /etc/fstab +UUID=7e1e715e-7ac4-45ad-b029-18fed80f225f none swap defaults 0 0 + +# Add the swap area to /etc/crypttab +swap /dev/sda2 /dev/urandom swap + +# Activate the mapping +cryptdisks_start swap +/etc/init.d/cryptdisks restart + +# Add the encrypted swap area to /etc/fstab +/dev/mapper/swap none swap defaults 0 0 + +# Turn on the swap area +swapon -a +``` + +###### Useful resources + +- [dm-crypt/Swap encryption](https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption) +- [Encrypted swap partition on Debian/Ubuntu](https://feeding.cloud.geek.nz/posts/encrypted-swap-partition-on/) + #### :eight_pointed_black_star: Disk quotas #### :ballot_box_with_check: Summary checklist @@ -160,3 +214,4 @@ proc /proc proc defaults,hidepid=2 0 0 | Setting up polyinstantiated directories for `/tmp` and `/var/tmp` | :black_square_button: | :black_square_button: | | Secure `/dev/shm` directory with `nodev`, `nosuid`, `noexec` options | :black_square_button: | :black_square_button: | | Secure `/proc` filesystem with `hidepid=2` option | :black_square_button: | :black_square_button: | +| Secure swap area with cryptsetup | :black_square_button: | :black_square_button: | \ No newline at end of file